3b19486b4e14b206ec8ab2602ec6a430f9fce7ef40247b1e1f4c6f004ee468b4

Resubmissions

30/03/2025, 02:04

250330-chq9waznv9 9

28/03/2025, 18:23

250328-w1kpla1pv4 9

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift.exe
Size

20.1MB
MD5

532e28bfd55208ef66d609a48a65cf91
SHA1

5da3a7f1a437cae4109b4c052b7de697bc58a674
SHA256

3b19486b4e14b206ec8ab2602ec6a430f9fce7ef40247b1e1f4c6f004ee468b4
SHA512

10c57c4bd1c18242405bb7ac89361121b6169f3444122dbef246e4605b0f793f205a9fb36f5a8d820e9c8617bddb9df65b9590acbaada19a89ac7a064a23a0f1
SSDEEP

393216:V8JNpovBLKnLuJxQBqYuIavH5Cmq+Je5tmCTtu32syZ1k3hqdE7w:VMpWNW0mBqfvH5SZtlTtuGZgxqdcw

Score

9^/10

defense_evasion discovery execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Swift.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4716	powershell.exe
4836	powershell.exe
5084	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
30	5920	Swift.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Swift.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Swift.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	cmd.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/5920-0-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-2-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-3-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-4-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-5-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-229-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-251-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-552-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-822-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-879-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-910-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-1094-0x0000000140000000-0x00000001437AD000-memory.dmp	themida
behavioral2/memory/5920-1128-0x0000000140000000-0x00000001437AD000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Swift.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5920	Swift.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1748610778\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1127796337\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3364_1654684654\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1127796337\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\bn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3364_263093074\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping396_1660979810\_locales\az\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x00070000000243b4-250.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877739277902645"	msedgewebview2.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-446031748-3036493239-2009529691-1000\{F39428FD-9AD0-47CB-8553-044B8DCE3F80}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4716	powershell.exe
4716	powershell.exe
4836	powershell.exe
4836	powershell.exe
5084	powershell.exe
5084	powershell.exe
4336	msedgewebview2.exe
4336	msedgewebview2.exe
5372	msedge.exe
5372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3364	msedgewebview2.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe
396	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5920	Swift.exe
396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5920 wrote to memory of 4716	5920	Swift.exe	90
PID 5920 wrote to memory of 4716	5920	Swift.exe	90
PID 5920 wrote to memory of 4836	5920	Swift.exe	92
PID 5920 wrote to memory of 4836	5920	Swift.exe	92
PID 5920 wrote to memory of 5084	5920	Swift.exe	94
PID 5920 wrote to memory of 5084	5920	Swift.exe	94
PID 5920 wrote to memory of 3364	5920	Swift.exe	96
PID 5920 wrote to memory of 3364	5920	Swift.exe	96
PID 3364 wrote to memory of 4872	3364	msedgewebview2.exe	97
PID 3364 wrote to memory of 4872	3364	msedgewebview2.exe	97
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 5928	3364	msedgewebview2.exe	98
PID 3364 wrote to memory of 2456	3364	msedgewebview2.exe	99
PID 3364 wrote to memory of 2456	3364	msedgewebview2.exe	99
PID 3364 wrote to memory of 2308	3364	msedgewebview2.exe	100

C:\Users\Admin\AppData\Local\Temp\Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Swift.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\Scripts.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\Scripts'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\Workspace.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\Workspace'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -WindowStyle Hidden -NoProfile -NonInteractive -Command "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Local\Temp\AutoExec.lnk'); $Shortcut.TargetPath = 'C:\Users\Admin\AppData\Roaming\Swift\AutoExec'; $Shortcut.Save()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --enable-features=RemoveRedirectionBitmap --lang=en-US --mojo-named-platform-channel-pipe=5920.4092.10591738236026185409
  2⤵
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\swift\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7fff7b40b078,0x7fff7b40b084,0x7fff7b40b090
    3⤵
    PID:4872
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1740,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1736 /prefetch:2
    3⤵
    PID:5928
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2052,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    PID:2456
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=1716,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:8
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3596,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=752,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
    3⤵
    PID:3932
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4644,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4336
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\swift\EBWebView" --webview-exe-name=Swift.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=4388,i,5552828873919225673,2269991300961234762,262144 --enable-features=RemoveRedirectionBitmap --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
    3⤵
    PID:3956
- C:\Windows\system32\cmd.exe
  "cmd" /c start "" "msedge" "https://key.getswift.gg/ks/checkpoint/1/YyWBIJFRerwrisExfJwgruzBJplGbBWNekJXmNAzZEDSHnvsso"
  2⤵
  - Checks computer location settings
  PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://key.getswift.gg/ks/checkpoint/1/YyWBIJFRerwrisExfJwgruzBJplGbBWNekJXmNAzZEDSHnvsso"
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7fff7900f208,0x7fff7900f214,0x7fff7900f220
      4⤵
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1960,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:3
      4⤵
      PID:2468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2344,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:2
      4⤵
      PID:5664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2588,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=2756 /prefetch:8
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
      4⤵
      PID:1400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3484,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
      4⤵
      PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3472,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1
      4⤵
      PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5016,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4900,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
      4⤵
      PID:5080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5556,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:8
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6300,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:8
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:8
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:8
      4⤵
      PID:5148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6244,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:8
      4⤵
      PID:5332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4284,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
      4⤵
      PID:5340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5436,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:1
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2276,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5404 /prefetch:8
      4⤵
      PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6472,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:8
      4⤵
      PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5812,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:8
      4⤵
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5780,i,14714665264538693534,509314890475130582,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3364_263093074\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping396_1127796337\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping396_1127796337\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
11d938a070c170889edf5b9c66e17772

SHA1
ba06c510bd2bbd74474fc89548e38e0ba95be410

SHA256
6de8f49d666eef5c25117a5dd35e142d746fa5cccb508633d01d02a3e991a160

SHA512
a377aee2d36fdef4f10e4237a29c7d0df159f34d0cccf52f37ecd86d43f24a6c84568a6fa13fe9064a3eb8cfe71e8da7d1b39b0381b43a61dff7a005704a3717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
008becad26af205db93b05165308e748

SHA1
70040b91feeb12786bdabb38f67e02e907add056

SHA256
bf7d3df36614aac015883dadc609c359b5edfe15240087289a6f7bd58957e0f6

SHA512
684c02eeea716bb98255f3c863dd3b24b2e42229e5a264054776987a8f74e2529c4175bf23d74481877dc8912c62579bb07a508a848c623db43066815408aaf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57fafa.TMP

Filesize
3KB

MD5
a19d50596a95a69edaf109d91f1cfbc3

SHA1
61840d16c7ed3db0f530de3b6f4d185346c0089a

SHA256
65ebf4a99784543bd350022c74ec9ae84203b2c237edcc27d84a003db95cd843

SHA512
20f6e47f372d669d6ef0432ab702bb736ce34f99b9ff58c8b708c0c5802b9e5bc1f3b8a96531d67eaa010b9c5edf1104d03f31c450b00cf66570241b7a491752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
c26bc98f162e70cd3429b508bed5bc19

SHA1
866ca848d418e38d89e7d2c56420528d65594a05

SHA256
979b05e1a020fb98f22b84d7f93716477c72cb478a61a2637ecb0e854c2816e9

SHA512
bfc7bd287a0f51a3ed701e40d2d54e3e9f81f7312e71dd6eb93df4d4cb89bd0e1a074eaba8e5fa7e0db8e06b696c4a7d5708c20dc8ee19fc46e7f9cd787609f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
2ea487b5ddb23a520e1f76f9105ec5db

SHA1
00ce47e22fe114096278152d78409968812c53ae

SHA256
afb3832842ade960d70bfd2cd273890a114030004954d016e9b033a1b428668b

SHA512
87eef2b6d9c4b1bf2af9f8b19f2553749d55e7ead155649fffcbd66b33a9f0a63b3cde98cead433d2a8ba46f1f580295ec7e6a54614a4ca194367a5db760befd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\db07798e-b779-4751-bbf7-35acf8ca01f3.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
c91fe4acf31ccabe2513c078c3ba9e93

SHA1
fdde08961bb8a500acc7d818f841a595ec3c8dfd

SHA256
1780b4fd39b78d92bde4a41074029e83a8f0f0790c0394b0f2711cb86b9a92b9

SHA512
5ae165d418db6d6e9c71e543a3f89b9a67d6e0a0f2bf18c3b337f3e5a8af1b999aa82beddb72038b9699a1ba9163126c1f30942faedb22c7fe7ac30fa936a0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
67848bda875e224f698d0cb951d58a35

SHA1
20d3e1673345a2b09ceab86e179d21bb45661546

SHA256
34d5e414b2d0b98b6be999e74242a5425f1496e321b14190bc10e933cb763436

SHA512
9b6b212beb33361eb5db348672019954b61f12d52fa3c23e0f13fd949fdc40642cb379219ef4f9da9d484aeda87eea14bb3e5aca0ebc35a40eb8acf648e295d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
e07dd0dead49071976a4ac0b4add81e7

SHA1
56a0643049d9fdf7e228b03723a07a0e7c5c3a6c

SHA256
7a5c49a11c15d32358604ea28aa76ec79d3654dd23127cf86ddf8037d17eb065

SHA512
67725892e52356cc1f158b8accab5bd6947ed34f682b6e3c4abb8be614f744e43e276acba719783e03d9ef094d7d5710d204cc9036db36e288af452461dddd99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
9cb2c0f044c2e2df0d358084a1ea0b41

SHA1
6c6d46daf01301dae59a49343b4be1627a61220d

SHA256
2448f9ed54f8b783386a06fbdc5dee60b342b08557da152940bfbd91e0f2c0d6

SHA512
784426ffdddf88d8f4080efec4e315e64b489f68f71649175c2629b79e0cf09e93159ef98b0d1cfff14b9ecfdf96052df348191bc7ba60f0c9197bf99d809ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
a03e168f1f77e5d7613bf9a1b09ce53f

SHA1
93b5b88789df0ff06167c51bd4545c7769c370b9

SHA256
6130c9d2c6781dea59f1fe7225577c6b37b0c7fea25f78b41dc35fdc2410e0f5

SHA512
cf0965ec9e47c19c0bd454353c0f4be293f22f11375b7bb6475e84e524193eb4ce153155c4ec0c9f8bbbfa0467d9161023ea41ca53bf8b87606d0e2857bf6d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
21a0abbfe03e1fe1623cedacd1c32641

SHA1
5eefd54aab597e7d033029e851722b6109c9b184

SHA256
156ade94eef8ec789241cb3d3e494645d9794bfccd05dd67fea3b2ffce3dfeb0

SHA512
d7227caef276ec7f8463b1eea19e66585d4b203578bcdb85200d021936f265afde2800c9f77689a696e2feca86eabe44a121f431cc2a189d27de665ee3c8c165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
165a9c7e102588e5332f616220e404f1

SHA1
70383755e22323084580056536b69040e6d2d174

SHA256
5181cf29a33fa528ee2594f74b1675c29ece97f979bdee6e9cc0082fb9716a8c

SHA512
e35989a2e7b24ca91499dea7310e054ef4ce0f0fefa60ba27b592d70f8d5bad52ad6d53d37332db449162d1da70e72d0666c5f222d8b8552909e6194053f5d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
2839044ff6c85eefc520d7090b3d2744

SHA1
f962fe216ef1c2f6f75c42fd61bd2c016d6bf1d7

SHA256
8b6163381130c618afb24e6a140382eb1de25904516ea3984d58b774c3dd0b19

SHA512
1d2e12c84d1599c14747d75a90274032587a47c508d378176ce6ef381be7005fe3b32f4d42f184307810db19eea1cd1a61156d094d2ac4bd6e8ea517ae1a21f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
7202e4a1c28a11e2bc853f0fe7a81dbd

SHA1
efda0e8acf7ae4edf54946999df5c8f876e616f3

SHA256
8c33999d260a421355549122039117ad9f341e360325d510bdf903717c451fb7

SHA512
fb91f5db7e5392e93e3b3b6ad2db34a893fd546b45f5353720af694226788f49dd759a6457a3bb4fca4706aba1159672231439d6b7893d0f48db6df680d2131a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
b60e68f64a606b267748b8a33d57f46b

SHA1
dfcc8487c9e552b4c82427542033d88aa20ab9a2

SHA256
5619af9cf7e7cc8ba1d181c2419e5ed213e34b4535ee7fb19443bb713bd0ec98

SHA512
4fc38ac9b08f121ccd0515f46c5a2383c7e6de49cc1c1452f20090eabcaf55f07cf6db955c9b27ed52d44b1ab37033236b4399ea50a51f4b48ac74e2ae1e465a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
cfb65f37511541e0dd666c2749c87a09

SHA1
10fa4a2fd220c75b6ad47f6ec1fed5feceea857e

SHA256
0eef823ba3b39ec8c6d89e5e4ca7b6e693de82763bee038d348e30fd9ffe5afd

SHA512
4134cbce381cfd62b27082eee0f4aa2c9b43cb0ce82cdf32508b94d53d761f1118ab94352ee956ee2ac8a4cf5445ec51c544fe764157c1f97442e6ec8b7c6169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a69c03efbab0f038eb4c1653b21a120

SHA1
8e52b46cea1a44f7318cac71c316f91c26e49e5b

SHA256
1ff2ee3c7a363a58c9da0e0b343b9ea0a81f92db3b89863c81cbfc7841601309

SHA512
0b692071bbe87da577fe0432acb3a9da45b9123bb484b51c7f701c5f73bb84d9263dba40edd11dcff257436e57a1e5c2fc63432a53d270fad70ee1166f899e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e22107b221e1be84c7250211d3e318f2

SHA1
10cae9b572e365fd1e41495928219dc0fafb3379

SHA256
8b85cf4cd76b6a4aa49802e42f186526b76d9083977f3ccd75fda2c485aa7128

SHA512
65246ca60013b0fcf72e224435cc1f89330fa428d6e36f483b817c855057c67c547c0a066d593cc53ee2f4af8be5345ea1c3d6d7746474dbdefe162a3bad0bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Swift-Module.dll

Filesize
22.5MB

MD5
c568dbc5fd90067a6712055023a18568

SHA1
1546683eb7ed167b54b9e4fb0a8ae72374f688e8

SHA256
ed927320654bccb0164b7c1e8835975ec9f680d607cfea982c7a0a103684d188

SHA512
72da4af29fd9aeda9851fc0a0a4ffc8a5b35f260074f2203381a760c94e4b836fe28b11186a6d3cca4d01de65893c0063edfcf355268b689330915ab66339816

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zdztj1q.ksg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
a7ce1d9e81f2021c152fa3531aa411a8

SHA1
2dc90e0a0fe3092af65c17764866cb72ab9fe856

SHA256
b4679ad653587a4cd34002c68a50ae480684c3eef8250e263bc207079bfe3a82

SHA512
b0b76a1e4aef0a636b7f11c89c590227592f0bc7dea8eff8ea1c9bcbfb0b8e1d50c390e0c94f697423b3e04d2808cbc8db2a8eac68e4fd8ee1febcc61c679247

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
8eee48730f3a95f3577a0aa46d9d1b99

SHA1
7f625ba95041b0f7c61d9f73122c6e9daddb6505

SHA256
05e03d7081b95bc528d30ae6ddfde9f6f7d394548716b96b945e2f1ef30b0649

SHA512
42b8033b692b00b8b828970031d5469af80751398ccefb219caa0f5aa7b42b0f8e2706e65ea19077ab0dea8e6726aa805a22e39589628c21e9029136fad49d41

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ffcf25ddf307731682ce8b686874bf96

SHA1
e9fdae8552ee54e0e0a7f9efb627e5ad3d60994f

SHA256
1c931cfb3c5f622ab55adbaf9f3ded5e110b74e14390b58bb1133a876bbfc4f9

SHA512
f75749b26883fe49bad82bb9ef853e93785fd79651a558b2620c7d5ff6d7977b05e9874281e53203692bd786971ff3f34cc6a1b35b5dec1c56b0c177f5fff4f2

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
bfd824f8730511cbf65c98b71e7de6c5

SHA1
e9b8e4a7d8d576eeb33b84a2a4f9194c5c0f7ef2

SHA256
6dddb94ea9e96b484f69c948b2de6c56367b730b7d20dfe8295d5311042dc89f

SHA512
dc6e126c6af6ce0ec9fa623d188a63a28c9f690fa8c19d5024f1749c6a02be9bbc6544ea46cfb913848063e7e08704aeb5fc32f5edc8e26b77d1f6bca3f6aeda

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Network\Network Persistent State

Filesize
426B

MD5
673a55adab272688e09e39592c09f159

SHA1
774b51c8569f32dc3ae4ad0ffcc9bd7a7969896f

SHA256
8c5b930c23548b3dccf627d871d3dbd2df5fbf3920db58cc662926203a639d0d

SHA512
e5c0c63f2f40bb88cacfa10952ab594edaeab6b40b075dbb1bf69e27317b8949d8ba6738c71b62e877045ed446c0b6581f80cb9c2b7413d4ca2264f45b14c3e1

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Network\Network Persistent State~RFe589c1c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Preferences

Filesize
6KB

MD5
f3665cf29331951c2f2246f98d65711c

SHA1
fa78e871118c486e8f76d8064851783cc8f630ef

SHA256
4a22f6f79d589f705f96457f1a377642ea6630ca7fb29417b9a62467afe68aae

SHA512
2be24b3cdf97bd9f980ac23089021f0154f2473fe1fa5c19d4bccf12a187fb642c608fb8088845fd6ec8b1de96b302899249a5b82abf893bd658a0150ecb2a4e

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Default\e439c7fc-5aad-4e10-abb3-db02d9ed183c.tmp

Filesize
6KB

MD5
11501a40131a296895aa29c4a3bec629

SHA1
680356cfa97f2142a0fefb4d2461a25539ed20c0

SHA256
de2ede2b1f5ee9a4c869f2450a5254f5573b609c79b8aa331881f4d89c79203f

SHA512
9f25eaad2cedf9a2f5bcef650b5dd03c8250d2d0a70e2d6bd0e3e32b6ed5fbd3b2a886ea40efb853ccabf1b6b1498353691b9ee8c52b47dc576aabe0ae6e00e0

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
3KB

MD5
f25eb1f1f0d9e52922138b9b73607e23

SHA1
6c4c19062dce11ca2656a8117bd8d0a2afc65eec

SHA256
c9b62baefa43420658e9a7235a9bdf28f040432ee93736103ad8b7fd42e5b6ca

SHA512
b31c860adcd91bdd03c5fad6545bcb6a58309897ce3df0a9faae9e941a1dea059ab9ade27bb70cf56c1fa9b3459faad74d6c45f9126c01608b1c49e050861c36

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
16KB

MD5
026edec7dc4cefa6ce6bd999d91c8c37

SHA1
58d0d1da500312a1253ae87e3238bc36e5b482c1

SHA256
a7095cb5875288dda68e775ff0af8e5c1a6dfa33f91988440a11c4cb29ffaeb3

SHA512
0b0457184ce4dbc6d73cb404d47080b3b7f87f401c6d5705fc67f5a64352670143f646243ce1dfa2724962a930e40e4a41f81416312d98e3b9e2ded66bb21031

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
1KB

MD5
142f592674fddd01f5771030f4c8a815

SHA1
889f27c895ef8875696134a90e72399c611da9f0

SHA256
50865979de2ecaa228ab256124683b87bef0dab7cdd4b4197780ac16cff7b463

SHA512
06cf9d32d46bf73f9fcbefbfe01c41319a14885cedc52cc422c1c99cb391c6b31649ff5cfd2f331759636bcc4dd66cb4e16ce738e41aaa307c23bd34ee0bdb4a

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State

Filesize
16KB

MD5
c09bc9e3a3a589c76307a0928c0683d4

SHA1
bfcc34ad12c5293a728167c7a4a2ff101499e4f8

SHA256
24b5b286c3681f921d8e9a7e713b7a7b1797de92f74d37f5f0f913faad05f698

SHA512
247a071bcd840e8c5ef323c084500b0d8ce8077f26775b1a8d3eb5db9b723af8944e8a825d2eab0c90f1464b4ebf7e98a862e744f9a3cb809e72a97d6ecfb483

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\Local State~RFe5774a3.TMP

Filesize
1KB

MD5
49203d9f76eee74ac182a078de89c807

SHA1
c90bb504a7431386b8e4729529385c20d02b144d

SHA256
438f3ecddd4c3550781fd156fdb56279406b3630ed01a3c3e64577b40e8b75cc

SHA512
7ce2fccfb14babac3d228d4b5d9806f747449e1832bea4a90891219e4a5b26dd78b5939032d37dd891b004b736aaf9ce0aaba7cc016305378ecd5717a07dc88d

Download Submit
C:\Users\Admin\AppData\Local\swift\EBWebView\e5692cdd-22ea-4e68-bdbc-709ce147f5ce.tmp

Filesize
2KB

MD5
98ec29bdaef1999807c216017a950304

SHA1
000d8c7ae8ea05ee2ff9999b42132e5c16f9c88a

SHA256
b30f21f76bab3c00c781096824e50bad76282c554b38b11dc72bab20ff6cccbf

SHA512
9ada06406092be78b48fbcf5c74646f4d5a550e999423e38f894672158ed0d4901d48736db42879aa2879d8cee2e3692ade7a432e94550d9805e00ef8b2a40a4

Download Submit
memory/2308-98-0x00007FFF98530000-0x00007FFF98531000-memory.dmp

Filesize
4KB

Download
memory/2308-97-0x00007FFF99A50000-0x00007FFF99A51000-memory.dmp

Filesize
4KB

Download
memory/4336-1107-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1095-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1101-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1102-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1103-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1104-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1097-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1105-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1106-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4336-1096-0x0000023845BB0000-0x0000023845BB1000-memory.dmp

Filesize
4KB

Download
memory/4424-179-0x00007FFF98A60000-0x00007FFF98A61000-memory.dmp

Filesize
4KB

Download
memory/4716-22-0x00007FFF99A90000-0x00007FFF99C85000-memory.dmp

Filesize
2.0MB

Download
memory/4716-17-0x00007FFF99A90000-0x00007FFF99C85000-memory.dmp

Filesize
2.0MB

Download
memory/4716-6-0x00007FFF99A90000-0x00007FFF99C85000-memory.dmp

Filesize
2.0MB

Download
memory/4716-18-0x00007FFF99A90000-0x00007FFF99C85000-memory.dmp

Filesize
2.0MB

Download
memory/4716-13-0x0000026B752B0000-0x0000026B752D2000-memory.dmp

Filesize
136KB

Download
memory/5920-0-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-1128-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-5-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-251-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-229-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-879-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-552-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-1-0x00007FFF99B30000-0x00007FFF99B32000-memory.dmp

Filesize
8KB

Download
memory/5920-822-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-910-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-1094-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-4-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-3-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5920-2-0x0000000140000000-0x00000001437AD000-memory.dmp

Filesize
55.7MB

Download
memory/5928-75-0x00007FFF98A60000-0x00007FFF98A61000-memory.dmp

Filesize
4KB

Download